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INEORMATION SYSTEMS AUDITS 


Information Systems (IS) audits conducted by the Legislative 
Audit Division are designed to assess controls in an IS 
environment. IS controls provide assurance over the accuracy, 
reliability, and integrity of the information processed. From 
the audit work, a determination is made as to whether controls 
exist and are operating as designed. We conducted this IS audit 
in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our 
audit objectives. We believe that the evidence obtained provides 
a reasonable basis for our finding and conclusions based on our 
audit objectives. 


Members of the IS audit staff hold degrees in disciplines 
appropriate to the audit process. Areas of expertise include 
business, accounting, information technology, computer science, 
mathematics, political science, and communications. 


IS audits are performed as stand-alone audits of IS controls or 
in conjunction with financial-compliance and/or performance 
audits conducted by the office. These audits are done under the 
oversight of the Legislative Audit Committee which is a bicameral 
and bipartisan standing committee of the Montana Legislature. 
The committee consists of six members of the Senate and six 
members of the House of Representatives. 
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June 2012 


The Legislative Audit Committee 
of the Montana State Legislature: 


We conducted an Information Systems audit of IT Governance in Montana. The 
purpose of the audit was to evaluate the effectiveness of the Montana Information 
Technology Act (MITA) and the processes in place to govern information technology. 


Overall, MITA provides an effective governance framework for Montana. However, 
we identified several areas where procedures could be changed to improve effectiveness. 
We wish to express our appreciation to the Department of Administration for their 


cooperation and assistance. 
Respectfully submitted, 


// Tori Hunthausen 


Tori Hunthausen, CPA 
Legislative Auditor 


Room 160 ¢ State Capitol Building * PO Box 201705 * Helena, MT * 59620-1705 
Phone (406) 444-3122 * FAX (406) 444-9784 * E-Mail lad@mt.gov 
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11DP-13 REPORT SUMMARY 


The Montana Information Technology Act (MITA) provides the framework for IT 
governance. This law created the State Chief Information Officer position, which 
has the main responsibility for oversight of IT. For the 2011 biennium, agencies 
anticipated spending over $259 million for IT projects. The need for effective 
governance for IT resources continues as more state resources are devoted to 


this area. 


Context 


The Montana Information Technology 
Act, Title 2, chapter 17, part 5, MCA, was 
implemented in 2001 to facilitate effective 
deployment of IT resources and _ clarify 
governance responsibilities. IT governance was 
assigned to the Department of Administration 
(DOA), which appointed a State Chief 
Information Officer (CIO) to implement 
MITA requirements. 


‘The IT planning cycle is an ongoing process 
that incorporates development of plans and 
reporting on plan progress, both at the agency 
level and statewide. MITA includes provisions 
which require specific documents, the elements 
which should be included within those 
documents, and timeframes for completing 
the process. The four main documents are: 
1) the State Strategic Plan, 2) agency IT 
plans, 3) agency biennial reports, and 4) the 
State Biennial Report. IT planning cycle 
documentation provides the basis for ongoing 


review of IT activities. 


Results 

MITA provides an effective governance 
structure for Montana. ‘There are established 
processes and controls for key steps within 


IT management. Roles and responsibilities 
have been defined and implemented. One 
area we reviewed involved advisory groups. 
These groups are an effective tool for 
improving IT governance through increased 


communication and collaboration. 


While MITA defines the planning and 
reporting processes, we noted variations with 
the information reported in IT plans and 
reports. This results in a lack of continuity. 
Lack of continuity prevents the development 
of trends which is integral to monitoring 
the effectiveness of the development of IT 
resources. The department should strengthen 
its oversight to ensure planning and reporting 
is complete and consistent from year to year. 


Monitoring the development of IT projects 
is an important aspect of governance. 
Development of an IT project starts with 
identification of a need, then progresses 


through several stages including definition, 
cost estimation, funding and appropriation, 


development, and finally implementation. 


(continued on back) 
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Based on our audit work, there are numerous 
IT projects not reported because they 
fall under a certain dollar amount. As a 
result, the current process does not provide 
the department or the legislature with a 
comprehensive view of all IT activities. 


Best practices recognize ongoing monitoring 
of a project is a critical component of 
development and a strategic part of IT 
governance. Current policy does not 
include any details or guidance on project 
management. Providing additional project 
management guidance, including reporting 
requirements for ongoing project management 
activity, will help increase continuity and 
ensure the ongoing health of IT projects. 


MITA requires the department to establish 
and enforce statewide information technology 
policies and standards. As part of our audit 
work, we evaluated the effectiveness of DOA 
policy development. We noted several factors 
that contribute to confusion among agency 
personnel regarding statewide policies. We 
recommend the department formalize its 
policy development process. 


Recommendation Concurrence 


Source: Agency audit response included in 
final report. 


For a complete copy of the report (11DP-13) or for further information, contact the 
Legislative Audit Division at 406-444-3122; e-mail to lad@mt.gov; or check the web site at 
http://leg.mt.gov/audit 
Report Fraud, Waste, and Abuse to the Legislative Auditor's FRAUD HOTLINE 


Call toll-free 1-800-222-4446, or e-mail lad@mt.gov. 








Chapter | — Introduction and Background 


Introduction 


The Montana Information Technology Act (MITA), Title 2, chapter 17, part 5, MCA, 
was implemented in 2001 to facilitate effective deployment of information technology 
(IT) resources and clarify governance responsibilities. IT governance was assigned to 
the Department of Administration (DOA). To address these responsibilities, DOA 
appointed a State Chief Information Officer (CIO) to manage the Statewide Information 
Technology Services Division (SITSD) and implement MITA requirements. The 
legislation enacting MITA also amended §5-12-205, MCA, adding duties to the 
Legislative Finance Committee (LFC) for monitoring the IT policies of DOA. MITA 
exempts the Montana University System, Office of Public Instruction, and National 
Guard from certain sections of the law. Each of these three entities has different levels 
of exemptions, but none of the three is exempt from all provisions within MITA. With 
few exceptions, this law has remained unchanged since its passage. 


The need for effective governance for IT resources continues as more state resources are 
devoted to this area. The state currently operates over 400 IT systems which provide 
over 200 system supported services. According to the 2011 state biennial IT report, 
there were 283 sites housing 1,135 physical servers, which store and run applications. 
Agencies, via IT plans for the 2011 biennium, anticipated spending over $259 million 
for IT projects including the development of new applications, purchase of new 
equipment, maintenance of older systems and equipment, and consolidation efforts. 


Audit Objective 
In 2005 our office performed an Enterprise IT Management audit (0O5DP-06) with 
a focus on the actions taken to implement MITA. That audit identified several issues 


and made recommendations in the following areas: 
¢ Commitment to the execution of centralized management and control of IT 
¢ Plans for addressing each section of MITA 
¢ Maintaining IT policies/standards and ensuring agency compliance 


¢ Coordinating with the Office of Budget and Program Planning on new IT 


investments 
In 2007 we performed a follow-up to the Enterprise IT Management audit. We 


concluded DOA was implementing each of the recommendations, with the following 
items still under development: 
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¢ — Policy on how to implement MITA 
¢ — Policies and procedures to ensure agency compliance 


¢ — Policy for agency IT planning 


MITA has now been in place for 10 years in a rapidly changing IT environment. 
During that time, the department has continued to develop governance policies and 
procedures. This audit further examines the effectiveness of how this governance 
is working in light of statutory requirements. Our objective was to determine the 
effectiveness of current IT governance in Montana. 


Audit Scope and Methodologies 


Our work focused on the main processes used in governance including planning, 
boards/councils, policies, and review of projects/system development. Specific work 


included: 


¢ Interviewing agency personnel. 


Q DOA, Information Technology Board, Information Technology 
Managers Council, Legislative 


¢* Conducting a survey of state agencies, universities, and elected officials. 
Twenty-nine entities surveyed with 23 responses 

¢ — Reviewing and analyzing documentation associated with our focus areas. 

Agency IT plans, project summaries, and biennial reports 

State strategic plans and biennial reports 

Session laws and associated hearing minutes 


LFC meeting minutes and Legislative Fiscal Division reports 


oo colUlcrCOlChUc CSC 


Other states’ summary information 
¢ Reviewing and analyzing laws, state IT policies, and related best practices. 
Title 2, chapter 17, part 5 (MITA) and §5-12-205, MCA 
& Montana Operations Manual 
Control Objectives for Information and related Technology (COBIT) 
¢ Analyzing past audit reports. 


Audit reports issued in the past five years 


Audit work was conducted in accordance with Government Auditing Standards 
published by the United States Government Accountability Office. 


Chapter II — Improving Oversight 
of Processes and Activities 


Introduction 


Governance can include everything from establishing processes for guiding activities, 
to monitoring how activities are conducted, to ensuring standards are being met. In 
Montana, there are several components of information technology (IT) governance. 
The Montana Information Technology Act (MITA) assigns primary governance 
responsibility to the Department of Administration (DOA). The following figure 
depicts the current IT governance structure for state government. 


Figure 1 
Information Technology Governance in Montana 
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Source: Compiled by the Legislative Audit Division. 





The law also creates the state Chief Information Officer (CIO) position and outlines 
three main duties including carrying out duties as assigned by the Director, serving as 
the chief IT policy advisor to the Director, and advising the Director on enforcement. 
The law creates the Information Technology Board (ITB) which functions in an 
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advisory capacity. In addition, the bill that enacted MITA gave the Legislative Finance 
Committee (LFC) oversight responsibilities regarding IT related activities. 


We examined the roles and responsibilities within this governance structure to 
determine the effectiveness of processes. 


Overall Conclusion: 


Figure 2 MITA Has Improved 
Agency Views on MITA Effectiveness IT rnan 
Overall, how would you rate the effectiveness of MITA Ce ee 
in improving IT governance in Montana? in Montana 
We conclude MITA provides 


an effective = governance 





structure for Montana. There 
are established processes and 
controls for key steps within 
IT management. Roles and 
responsibilities have been 
defined and implemented. In 
addition, our survey of state 
agency IT personnel indicates 


BVery Effective Somewhat Effective Neutral 


agencies have a_ positive 


Source: Compiled by the Legislative Audit Division position on the effectiveness 
from Information Technology Governance of MITA. Figure 2 shows 
survey. 

, agency views on the overall 


effectiveness of MITA. 





Conclusion: MITA Has Improved 


Collaboration and Communication 


Section 2-15-1021, MCA, requires the creation of an Information Technology Board 
and MITA establishes its responsibilities. The board is responsible for advising the 
department in numerous areas including: 


¢ Enterprise IT policy. 
¢ — State strategic IT plan. 
¢ Major technology budget requests. 


¢ — Rates charged by the department for IT services. 


In addition to ITB, the department has created a number of other groups designed to 
improve collaboration and communication for IT governance. These groups include, 
among others, the Information Technology Managers Council (ITMC), Network 


Managers Group, and Project Management Office Advisory Group. ITMC is to 
advise the department to help improve management of data and IT resources through 
discussion of issues, analysis of opportunities, and sharing of ideas. The ITB is the 
main group for providing advice from a business perspective, whereas [TMC is the 
main group for providing advice from a technical perspective. 


We reviewed the implementation of these groups to determine their effectiveness in 
improving IT governance in Montana. Our work consisted of interviewing current and 
former members of both ITB and ITMC, observing group meetings and reviewing 
past minutes, interviewing SITSD management, and surveying state agencies. Overall, 
we noted these groups are an effective tool for improving IT governance. The primary 
benefit of these groups is increased communication and collaboration. 


MITA Provides Governance for IT Planning 


An essential component of MITA is the planning cycle. This cycle is an ongoing 
process that incorporates development of plans and reporting on plan progress, both 
at the agency level and statewide. MITA includes provisions which require specific 
documents, the elements which should be included within those documents, and 
timeframes for completing the process. DOA has developed additional timeframes 
and rules which govern the process in more detail. 


Within the IT planning cycle, there are four documents required by statute: 


¢ State Strategic Plan for IT: DOA is required to develop a State Strategic 
Plan for IT to establish “the statewide mission, goals, and objectives for the 
use of information technology” and “the strategic direction for how state 
agencies will develop and use information technology resources to provide 
state government resources.” 


¢ Agency IT Plans: Executive branch agencies are to develop their own 
individual IT plans. Statute provides further guidance on content of IT 
plans including the agency mission, goals, and objectives for IT. 





¢ Agency Biennial IT Reports: Agencies are required to develop an agency 
biennial report evaluating progress toward their agency IT plan goals and 
objectives. 


¢ State Biennial IT Report: DOA is required to develop a State Biennial IT 
Report, based on agency IT plans and performance reports, analyzing the IT 
environment and reporting on progress and performance. 





These four deliverables form one iteration of the continuous planning cycle. ‘This 
iterative process occurs within an 18-month timeframe and was developed to coincide 
with the state budget and appropriations process. MITA requires each agency IT plan 
to project activities and costs over a six-year time period. 
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Review of IT Activity 


Monitoring the development of IT projects is an important aspect of governance. 
Development of an IT project starts with identification of a business need. ‘The project 
then progresses through several stages including definition, cost estimation, funding 
and appropriation, development, and finally implementation. 


Section 2-17-526(1)(b), MCA, states SITSD and OBPP are to jointly determine 
the criteria for classifying major IT projects. Currently, all IT projects estimated at 
$500,000 or more are considered major projects. Our survey indicated 70 percent of the 
agencies who responded have less than half of their IT projects reviewed because they 

do not exceed the threshold. 


Furthermore, 40 percent 


P Pies <ivechoid of the respondents said 
gency Reporting Based on Thresho 

What percentage of your agency’s IT projects would you iat 30 : 100 percent of 
estimate do not get reported through the strategic plan- their projects do not get 
ning and reporting process due to being below $500,000? reported. Figure 3 shows 





the breakdown of reporting 


based on the current 
™90-100% threshold. 


™80-89% 

In addition to not exceeding 
are the $500,000 threshold, 
50-59% there are other reasons 
agencies may not report 
aes IT activity. These include 
=0-9% agencies not reporting 


a project because they 


Source: Compiled by the Legislative Audit Division from : ; 
Information Technology Governance survey. do not require funding 
through the Long-Range IT 





Planning Program, agencies 
underestimating the cost of a project, and agencies separating a larger project into a 
series of smaller projects that all fall under the threshold. 


Conclusion: Not All IT Activity is Reported or Reviewed 


Based on our audit work, there are numerous IT projects not reported because they 
fall under the threshold. The state CIO provides a project portfolio report to the LFC 
on a quarterly basis. This project portfolio report includes all major projects (those 
over $500,000). The LFC recognized a need to expand the criteria for what projects to 
review, as well as providing more detail and clarity to the report in order to “adequately 
capture IT development within state government.” The LFC indicated the criteria do 


not capture sizeable investments being made in IT within base budgets and do not 
contain any post implementation operational costs. This unreported IT activity is not 
summarized or presented in any reports. In addition, not all IT activity is reviewed by 
the state CIO or oversight entities. As a result, the current process does not provide the 
department or the legislature with a comprehensive view of all IT activities. 


MITA Defines the Planning and Reporting Processes 


We selected a sample of seven state agencies representing a range of sizes and business 
processes and reviewed all agency IT plans and biennial reports developed since MITA’s 
inception. We then evaluated the sample, along with the state plans and biennial 
reports for the same time period, to determine the types of information maintained 
from agency to agency and from year to year. We identified goals and objectives, as well 
as proposed projects contained in each of the plans and reports and compared them 
from one planning cycle to the next. We also evaluated the department’s guidance for 
completing plans and reports, as well as its review of proposed IT projects. 


Increased Continuity Will Strengthen Processes 


Our review determined there are inconsistencies and incompleteness with the 
information reported in plans and reports both by agency and from one biennium to 
the next. We noted variations: 


¢ Types of information reported 
¢ Amount of information reported 
¢ Amount of detail included 


¢ Methods for reporting goals and objectives 


Specifically, we reviewed the IT plan templates provided by the department and noted 
variations with the information reported by agencies. We also noted approved plans 
with blank template sections. Furthermore, the level of detail agencies included in the 
IT plan templates varied between agencies and from biennium to biennium within the 
same agency. State biennial reports did not always reflect the information contained 
within the agency biennial reports. Subsequent plans and reports do not consistently 
contain details on progress to date, changes in estimated costs or projected timelines, 
or actual expenditures. In some cases, projects were not contained in subsequent plans 
and reports, yet the projects were still in development and had not been completed. 
Therefore, we were unable to track the continued progress and development of IT 
projects. The lack of continuity weakens IT oversight. 


An example of this lack of continuity occurred at one agency beginning with the 2002 
planning cycle. ‘The agency included a database project in its list of IT objectives. The 
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original cost estimate for the project was $150,000 with an estimated timeframe of 
four months to complete. No subsequent plan or biennial report includes the database. 
However, the project continued to be developed and was completed in 2010, seven years 
beyond the initial estimation. In addition, while the project was initially overestimated, 
the final cost exceeded $237,000, which is 158 percent of the original budget estimate. 
Had this project been tracked throughout the entire development process by inclusion 
within the agency’s IT plans and reports, including changes in costs and timelines, IT 
governance oversight functions may have been able to assist in earlier implementation 


and possibly avoiding cost overruns. 


Department Review Does Not Lend to Continuity 


The department’s review process includes a template for completing agency IT 
plans and review of the information reported. The department provides a template 
with accompanying instructions for development of agency IT plans. According to 
department guidance, MITA requirements mandate the need to collect common 
IT information from all agencies, and as a result, each agency is required to develop 
their plan in a consistent format, with specified content, based upon the information 
requirements derived from MITA. In addition, department guidance indicates 
the agency plan should reflect an update of the six-year projection of information 
technology implementation planning, and that each IT goal and its associated 
objectives and measures should be uniquely identified and numbered sequentially. 
However, the template and instructions do not help ensure continuity because they 


only focus on a single biennium. 


According to MITA, agency IT plans are to conform to the goals and objectives outlined 
in the State Strategic Plan, which is the primary basis for the department’s evaluation 
of the information reported in agency IT plans. Draft agency IT plans are reviewed 
by specific sections within SITSD, emphasizing areas such as network, e-government, 
data center, or contracts. The review is intended to identify any potential concerns. 
Recommendations are then forwarded to the state CIO for approval or denial. When 
submitting IT plans, agencies are required to list all proposed IT projects that are over 
$500,000. The department also reviews these major projects as part of the budget 
review process. Again, the department’s review does not help ensure continuity from 
one biennium to the next because the focus is on a single cycle. 


Improving Continuity of Documentation 


Lack of continuity prevents the development of trends over time both within 
individual agencies and statewide. Development of trends within agency IT plans and 
the State Strategic Plan, as well as biennial reporting on progress, is integral to the 
effectiveness of the continuous planning cycle. While the department is required by 


MITA to review and approve agency IT plans, and to report on the performance of 
those plans, the specific requirements enumerated in statute do not address continuity. 
The department should strengthen its oversight to ensure planning and reporting is 
complete and consistent from year to year. 


a 


RECOMMENDATION #1 





We recommend the Department of Administration modify its agency 
information technology plan template and review process to ensure 
completeness and continuity. 


a aE 


Insufficient Project Management Policy Limits Continuity 


Best practices recognize ongoing monitoring of a project is a critical component of 
development and a strategic part of IT governance. The state CIO implemented a 
project management policy on March 1, 2011 requiring agencies to follow the American 
National Standards Institute, Project Management Institute’s Guide to the Project 
Management Body of Knowledge (PMBOK). However, this policy does not include 
any details or guidance on project management, including what projects should follow 
PMBOK, how to manage activities, how and when to report on project status during 
development, or reporting requirements after implementation. As a result, guidance 
regarding project management is limited, which impacts the ability to track progress of 
IT activity from conception through implementation. 


On a quarterly basis, the state CIO presents the status of ongoing major projects to the 
LFC. The data provided is a project summary and does not include details regarding 
the complexities of developing an IT project. The LFC recently requested a major 
project post-implementation report for its quarterly meetings, which the state CIO 
is now providing. While the actions of the state CIO and the LFC provide increased 
oversight of projects, agency guidance and requirements for project management is 
limited. Providing additional project management guidance, including reporting 
requirements for ongoing project management activity, will help increase continuity 
and ensure the ongoing health of IT projects. Detailed policy guidance will help 
improve the comprehensiveness of oversight reporting, which will assist in validating 
estimated benefits and costs, and document effective project management practices for 
future use. 
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RECOMMENDATION #2 





We recommend the Department of Administration expand project 
management policy guidance and reporting procedures for state agencies. 


Ts 


Statewide IT Policy 


Section 2-17-512(1)(@), MCA, states the department shall “establish and enforce 
statewide information technology policies and standards.” The department has 
implemented a number of statewide IT policies, standards, and guidelines to meet this 
requirement. According to SITSD definitions: 

¢ — Policies are required courses of action or sets of requirements to be followed 


with respect to the acquisition, deployment, implementation, or use of IT 
resources. 


¢ Standards are requirements or specifications for acceptable software, 
hardware, database, technical approach, business process, or methodology. 


¢ Guidelines are recommended actions used to guide the use and deployment 


of IT. 
Agencies are required to follow policies and standards, but guidelines are not mandatory. 


As part of our audit work, we evaluated the effectiveness of DOA policy development 
by reviewing current policy structure and location, past and current policy development 
procedures and best practices, and interviewing SITSD staff and surveying agency 


personnel. 


Policy Development Can Be Improved 


The department follows its described policy development process. However, there are 
aspects of the development process which make policies difficult to use or to easily 
identify for the end user. The naming of and duplication between documents does not 
lend to ease of use. There are multiple policies with names which are similar or which 
are difficult for a user to distinguish between different subjects. Other policies are 
located in different sections, yet cover the same subject area. 


In addition to confusion over policy topics, policies are currently developed and released 
whenever proposed. We noted a recent example of a draft policy being released, then 
retracted, and is now being considered for release again at a later date. With no defined 
schedule for updating policies, users have difficulty tracking policy updates or changes. 
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All of these factors have contributed to confusion among agency personnel. Audits 
conducted by our office have identified noncompliance in several policy areas including 
access, change management, and data integrity. While the reasons for noncompliance 
varied, some related to lack of knowledge and/or understanding of policy. 


SITSD acknowledges concerns with the current structure of IT policies. However, 
the department does not have a formalized policy development process. Best practices 
suggest the relevance of policies should be confirmed and approved regularly. 


Ae 


RECOMMENDATION #3 
We recommend the Department of Administration clearly delineate 


information technology policies and formalize a systematic policy 
development process. 


S| 


D)aIN Venez 
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DEPARTMENT OF ADMINISTRATION 
DIRECTOR'S OFFICE 
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BRIAN SCHWEITZER, GOVERNOR JANET R. KELLY, DIRECTOR 


Sg STATE OF MONTANA 


(406) 444-2032 MITCHELL BUILDING 
FAX (406) 444-6194 125 N. ROBERTS, RM 155 
PO BOX 200101 

HELENA, MONTANA 59620-0101 


May 30, 2012 RECEIVED 


; MAY 3 1 2972 
Ms. Tori Hunthausen, CPA 
Legislative Auditor LEGISLATIVE AUDIT DIV. 
Legislative Audit Division 
PO Box 201705 
Helena, MT 59620-1705 
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RE: Information Systems Audit #11DP-13: Strengthening Processes 
Related to IT Governance 


Dear Ms. Hunthausen: 

The Department of Administration has reviewed Audit #11DP-13: 
Strengthening Processes Related to IT Governance. The Department’s 
responses to the recommendations are below. 


Recommendation #1 


We recommend the Department of Administration modify its agency IT plan 
template and review process to ensure completeness and continuity. 


Response: Concur. 

The Department will continue its work to update the IT Plan template, 
clarify instructions, and review criteria to ensure planning and reporting is 
complete and consistent from one biennium to the next. 


Recommendation #2 


We recommend the Department of Administration expand project 
management policy guidance and reporting procedures for state agencies. 


Response: Concur. 
The Department will continue to work to expand project management policy 


guidance and reporting procedures. The Department expects to complete its 
work developing a Project Management Standard by July 1, 2012. 


"AN EQUAL OPPORTUNITY EMPLOYER" 
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Recommendation #3 


We recommend the Department of Administration clearly delineate 
information technology policies and formalize a systematic policy 
development process. 


Response: Concur. 

The Department is currently clarifying and streamlining all policy 
documents, including a restructure of its formalized policy development 
process. 

We appreciated the hard work and careful examination that you and your 
staff provided during this audit. Our department always looks upon the 
audit process as an opportunity to improve our operations and performance. 
The Department's Corrective Action Plan (CAP) is enclosed. 


Sincerely, 


: cf \[> f 
AGyu ZF) { ( Ud 
Janet R. Kelly, Director ' 

Department of Administration 


Enclosure 
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